Re: [web2py] Rocket issues
It sounds to me like these two issues are really one. Basically, Rocket is not sending an HTTP response when in HTTPS mode. It closes the socket but (for some reason) Python doesn't close it immediately. This causes a client to hang for a while. Thanks for the clarification. Jon, if it's ok with you can I send you test versions? -tim On 4/28/2010 4:38 PM, Jonathan Lundell wrote: On Apr 28, 2010, at 8:48 AM, Jonathan Lundell wrote: On Apr 28, 2010, at 6:56 AM, Jonathan Lundell wrote: 2) if a localhost managed server is configured using the same port as [web2py], but http protocol, atttempting to connect to that URL will cause [web2py] to become unresponsive to all requests until it is restarted. With the same configuration, prior versions will display an unable to obtain API version warning, but will remain functional. The configuration attempted was: Name: localhost Description: Localhost URL: http://127.0.0.1:8004 OK, I have a clarification on this one. I had misinterpreted the report. In the above case, web2py is configured as https-only, port 8004. The web2py app is configured to *talk* to another (non-web2py) entity at http://localhost:8004. This is a conflict, of course. But with CherryPy, the communication simply failed (resulting in the 'API version' message above; I'll try to find out what the underlying error was). With Rocket, web2py becomes unresponsive and has to be restarted. More data. It seems that CherryPy explicitly detects an attempt to make an http connection to its https socket and sends back a 400 Bad Request (which I'm seeing). If you're poking around in CherryPy, the key bit of code is this: if thirdarg == 'http request': # The client is talking HTTP to an HTTPS server. raise NoSSLError() ...and you can see how it deals with NoSSLError elsewhere. My impression is that Rocket simply closes the connection, but a) I could be wrong, and b) whatever is going on isn't enough. Try this simple test: start web2py/rocket in SSL mode, and then use Firefox or Safari (all I've tried it with) to connect to that port with http. You should see the browser hang. Well, you shouldn't, really, but you will. I think. At this point, I'm sort of stuck. I'd like to upgrade web2py for an upcoming release, but I can't.
Re: [web2py] Rocket issues
On Apr 29, 2010, at 5:58 AM, Timothy Farrell wrote: It sounds to me like these two issues are really one. Basically, Rocket is not sending an HTTP response when in HTTPS mode. It closes the socket but (for some reason) Python doesn't close it immediately. This causes a client to hang for a while. Thanks for the clarification. Jon, if it's ok with you can I send you test versions? Yes, I agree that they seem to be the same, and yes, please send me test versions. Thanks.
Re: [web2py] Rocket issues
To those reading. I've submitted a fix to Massimo that Jonathan's engineers have tested (we should all have engineers =) ). There's one question that remains. Is this serious enough for an immediate web2py bugfix release? I don't think so. -tim On 4/29/2010 9:07 AM, Jonathan Lundell wrote: On Apr 29, 2010, at 5:58 AM, Timothy Farrell wrote: It sounds to me like these two issues are really one. Basically, Rocket is not sending an HTTP response when in HTTPS mode. It closes the socket but (for some reason) Python doesn't close it immediately. This causes a client to hang for a while. Thanks for the clarification. Jon, if it's ok with you can I send you test versions? Yes, I agree that they seem to be the same, and yes, please send me test versions. Thanks.
Re: [web2py] Rocket issues
On Apr 29, 2010, at 10:37 AM, Timothy Farrell wrote: To those reading. I've submitted a fix to Massimo that Jonathan's engineers have tested (we should all have engineers =) ). There's one question that remains. Is this serious enough for an immediate web2py bugfix release? I don't think so. Probably not. The risk is that in some circumstances there's a DoS vulnerability (I think?); otherwise the offending case isn't actually useful and won't be missed. -tim On 4/29/2010 9:07 AM, Jonathan Lundell wrote: On Apr 29, 2010, at 5:58 AM, Timothy Farrell wrote: It sounds to me like these two issues are really one. Basically, Rocket is not sending an HTTP response when in HTTPS mode. It closes the socket but (for some reason) Python doesn't close it immediately. This causes a client to hang for a while. Thanks for the clarification. Jon, if it's ok with you can I send you test versions? Yes, I agree that they seem to be the same, and yes, please send me test versions. Thanks.
Re: [web2py] Rocket issues
On Apr 28, 2010, at 6:56 AM, Jonathan Lundell wrote: 2) if a localhost managed server is configured using the same port as [web2py], but http protocol, atttempting to connect to that URL will cause [web2py] to become unresponsive to all requests until it is restarted. With the same configuration, prior versions will display an unable to obtain API version warning, but will remain functional. The configuration attempted was: Name: localhost Description: Localhost URL: http://127.0.0.1:8004 OK, I have a clarification on this one. I had misinterpreted the report. In the above case, web2py is configured as https-only, port 8004. The web2py app is configured to *talk* to another (non-web2py) entity at http://localhost:8004. This is a conflict, of course. But with CherryPy, the communication simply failed (resulting in the 'API version' message above; I'll try to find out what the underlying error was). With Rocket, web2py becomes unresponsive and has to be restarted.
Re: [web2py] Rocket issues
On Apr 28, 2010, at 8:48 AM, Jonathan Lundell wrote: On Apr 28, 2010, at 6:56 AM, Jonathan Lundell wrote: 2) if a localhost managed server is configured using the same port as [web2py], but http protocol, atttempting to connect to that URL will cause [web2py] to become unresponsive to all requests until it is restarted. With the same configuration, prior versions will display an unable to obtain API version warning, but will remain functional. The configuration attempted was: Name: localhost Description: Localhost URL: http://127.0.0.1:8004 OK, I have a clarification on this one. I had misinterpreted the report. In the above case, web2py is configured as https-only, port 8004. The web2py app is configured to *talk* to another (non-web2py) entity at http://localhost:8004. This is a conflict, of course. But with CherryPy, the communication simply failed (resulting in the 'API version' message above; I'll try to find out what the underlying error was). With Rocket, web2py becomes unresponsive and has to be restarted. More data. It seems that CherryPy explicitly detects an attempt to make an http connection to its https socket and sends back a 400 Bad Request (which I'm seeing). If you're poking around in CherryPy, the key bit of code is this: if thirdarg == 'http request': # The client is talking HTTP to an HTTPS server. raise NoSSLError() ...and you can see how it deals with NoSSLError elsewhere. My impression is that Rocket simply closes the connection, but a) I could be wrong, and b) whatever is going on isn't enough. Try this simple test: start web2py/rocket in SSL mode, and then use Firefox or Safari (all I've tried it with) to connect to that port with http. You should see the browser hang. Well, you shouldn't, really, but you will. I think. At this point, I'm sort of stuck. I'd like to upgrade web2py for an upcoming release, but I can't.